Common Safety Method or Best Practice - A Practical ... · CSM-RA were voluntary until 1 July 2012...

Berlin, 12-17 October 2014, Busch, Gjønnes, Tveraaen

Common Safety Method or Best Practice - A Practical Implementation of

CSM-RA

Carsten Busch, Kjetil Gjønnes, Mona Tveraaen

Jernbaneverket

SUMMARY

What’s in it for us - that was the leading principle that Jernbaneverket followed when implementing the Common

Safety Method on Risk Evaluation and Assessment (CSM-RA). This paper, based on practical experiences,

describes how to benefit from the CSM-RA; by both making the best out of the smart elements in the process

described in the CSM-RA and by organizing internally. It also discusses challenges that have been experienced

with the application of the CSM-RA. This paper contains among others the following points:

The CSM-RA has added value instead of being an administrative burden.

Flexible application makes it useful for any project/change, not only for significant changes.

A practical, mainly qualitative approach has given a wider involvement and understanding outside the

exclusive circle of risk experts, and hence a better basis for informed management decisions and for

safety management.

Internally organized Independent Assessment Body can facilitate experience transfer and organisational

learning while maintaining independence.

A pool of multi-disciplined professionals helps to build and maintain competence.

So what was in it for us? If applied in a reasonable way the process may give better organisational learning, more

transparent and risk based decisions and – yet to be proven – the expected added value of a safety management

that goes beyond the decision point and truly ensures lifecycle safety.

INTRODUCTION

The Common Safety Method on Risk Evaluation and Assessment (CSM-RA) came into force between 2010 and

2012. The CSM-RA aims to harmonize the risk management processes used to assess the safety levels and the

compliance with safety requirements, the exchange of safety-relevant information between different actors within

the rail sector and the evidence resulting from the application of a risk management process.

Benchmarking among railway undertakings and infrastructure managers in various countries shows that the

CSM-RA has been implemented quite differently in various countries and companies. Additionally the CSM-RA is

seen by some rail safety professionals as complicated and as something that should be avoided rather than used,

if possible. In our experience the CSM-RA, if applied well, is beneficial for various aspects of safety management.

Following the discussions in various professional forums we get the impression that too much focus and effort is

put into two steps of the process in particular:

What is a significant change

– apparently aiming at avoiding the application of the process, and


Quantitative risk acceptance criteria

- possibly because it is believed to be more objective and easier to base a decision on.

In fact, these elements are among the less important ones to achieve a good safety management and hence

obtain a good level of safety. Instead:

All decisions should be risk based, but the level of scrutiny should be adjusted to the complexity of the

change. If applied reasonably the process supports educated decision making without excessive

bureaucracy. And;

Risk acceptance based on qualitative estimation and evaluation is often more robust, more transparent

and more transferable than quantitative based on multiple – more or less hidden – assumptions and

simplified models and excludes the understanding among the decision makers.

What should be emphasized is:

the identified hazards,

the identified possible risk reducing measures (and the individual link between each hazard and

measure),

the documented decision process on which measures should be implemented (Safety requirements),

the life time follow-up of the implemented measures – including experience feedback of the efficiency of

the measures (Hazard management).

This paper describes how to benefit from the CSM-RA; by both making the best out of the smart elements in the

process described in the CSM-RA and by organizing internally. It also discusses challenges that have been

experienced with the application of the CSM-RA.

THE CSM-RA - ORIGINS AND IMPLEMENTATION

Europe

The Common Safety Method on Risk Evaluation and Assessment (CSM-RA) as referred to in article 6(3)(a) of the

Railway Safety Directive was decided by the EU Commission and the Commission CSM Regulation on risk

assessment (352/2009) was published in the Official Journal of the European Union on 29 April 2009.

The aim of the CSM-RA is to harmonize:

the risk management processes used to assess the safety levels and the compliance with safety

requirements,

the exchange of safety-relevant information between different actors within the rail sector in order to

manage the safety across the different interfaces which may exist within the sector, and

the evidence resulting from the application of the risk management process.

The CSM-RA contains a number of steps in the risk management process1, including system definition, risk

analysis, selection of Risk Acceptance Principles, Risk Evaluation, the implementation and

verification/demonstration of safety requirement, hazard management and independent assessment of the risk

management process. This is illustrated in the figure below that is taken from the CSM-RA regulation.

1 One may remark that although referred to as a method the CSM-RA does not contain a risk assessment method as such,

but rather describes a process for the risk assessment and management.


Figure 1: The risk management process as pictured in the CSM-RA

Due to the relative novelty of some of the regulation’s elements for several member states it was decided to have

a gradual implementation and thus the CSM-RA has been implemented in two phases. The first phase took effect

19 July 2010 covering all significant changes affecting vehicles, and all significant changes concerning structural

sub-systems where required by Article 14(1) of Directive 2008/57/EC or by a TSI. All other applications of the

CSM-RA were voluntary until 1 July 2012 when the CSM-RA became mandatory for all significant changes,

including operational and organizational changes. This gradual implementation was chosen to give actors the

opportunity to learn and apply the new common approach and gain experience from it2.

The implementation of the CSM-RA was supported by a series of workshops organized by the ERA’s Safety Unit

in different European cities where actors were invited to discuss the CSM-RA and its application.

Implementation in Norwegian legislation

In Norway the CSM-RA was implemented by creating regulation “Forskrift om felles sikkerhetsmetode for

risikovurderinger” (FOR-2010-03-12-401) which came into force per 12 March 2010. This national regulation

directly implemented the integral CSM-RA regulation through an unofficial translation as well as by pointing to the

official version in English language.

2 At least this has been the intention. The question is how many companies actually have tried to gain experience with the

CSM-RA before it became mandatory.


Unlike other countries the principles of the CSM-RA were not entirely new for Norwegian railways. The national

regulation sikkerhetsforskriften3, which is the Norwegian implementation of the EU Railway Safety Directive

(2004/49/EC)4, required that the National Safety Authority (NSA)/Railway Inspectorate (SJT) were notified of

changes in the infrastructure. The NSA/SJT was then to decide if an application to ask for permission to take the

new/changed infrastructure in service was required. Exceptions from the notification regime were maintenance

work and 1:1-replacements where elements were replaced by (near) identical elements or elements with an

identical function. While this regime has a different background than the CSM-RA, it did already ensure that any

change in the infrastructure had a risk assessment before implementation of the change and it hints at a basic

assessment of significance.

Also the different risk acceptance principles as described in the CSM-RA were not entirely new as they had been

used in a similar way to check out risk acceptance criteria.

Safety management in Jernbaneverket

For many years Jernbaneverket has had a management system of which safety management is an integral part.

The Safety Management System specifies a method/process for risk assessments and has a number of tools

available for the execution and documentation of risk assessments. Jernbaneverket also created a special

archive, or digital library, for risk assessments to facilitate documentation and access to them, follow-up of

hazards and preconditions and experience transfer between projects and locations.

The Safety Management System also contains risk acceptance criteria for Societal Risk and Individual Risk for

various target groups and descriptions (principles) how to meet these risk acceptance criteria, for example by

explicit estimation or by referring to a standard system. In fact it must be noted that early drafts of the CSM-RA

were in part the basis and inspiration for the internal management system processes and documents, several

years before the actual CSM-RA regulation was decided.

Jernbaneverket has an extensive professional organization to support management and employees in their

responsibilities with regard to safety management. The units that are responsible for operational tasks like traffic

control, construction of new infrastructure or maintenance and improvement of existing infrastructure have their

own safety professionals to support line management in their safety tasks, like doing risk assessments. Most

project managers and line managers on a certain level have dedicated safety professionals to support them.

There are a total of some 120 safety professionals, including hired consultants (mostly for construction projects).

The central safety staff is responsible for methods and tools on a system level as well for the maintenance of the

internal professional network for competence building and experience transfer.

As a general rule any change in the organization or infrastructure is subject to a form of risk assessment.

Changes in the infrastructure were under a notification regime as described above. Notifications and applications

for permission to take new or changed infrastructure in operation were always to be sent to the NSA/SJT

including relevant risk assessments. Later also organizational and operational changes were subject to formal risk

assessments.

Initially there was a variable quality of risk assessments. Also differences in the understanding of the roles of

quality assurance and approval of risk assessments were identified. What did signatures on the document’s front

page actually mean? Who owned and approved the document? What implies a quality check?

To guarantee and improve the quality of risk assessments a peer review regime for risk assessments was

implemented around late 2006. This peer review regime for risk assessments works as follows:

3 In the meantime replaced by a.o. the sikkerhetsstyringsforskriften

4 Which in turn of course originally for a large part has been modeled on Norwegian safety regulations.


Before a risk assessment can be approved by the responsible manager, it has to be peer reviewed by a

qualified reviewer.

The reviewers have to fulfill a number of requirements:

o They have to be independent from the project (i.e. not actively involved in any activities directly

related to the project).

o They must have solid experience in doing/leading risk assessments in Jernbaneverket.

o They must have participated in a one day workshop in order to gain understanding of the quality

requirements for risk assessments and tools (as specified in a checklist in the safety

management system).

o They must keep this qualification up to date by taking part in two yearly refresher workshops.

The peer review is performed according to the criteria in the checklist. Eventual shortcomings are

corrected and, if necessary, the risk assessment is peer reviewed once more before it is sent for formal

approval.

Looking back the Jernbaneverket’s regime of peer review and quality assurance have led to a higher level of

quality of risk assessments, a better documentation of hazards and risks, a more uniform application of risk

acceptance criteria and risk assessment methods and an increased application of risk assessments as a naturally

used tool in case of changes - large and small, technical, operational and organizational.

Implementation of the CSM-RA in Jernbaneverket

Some rail safety professionals perceive the CSM-RA as something that should be avoided rather than used,

which is evidenced by a certain reluctance to classify a change as significant and applying a rather “high

threshold” for the significance. Partly this may be due to the regulation being new, triggering a certain aversion to

change existing practices. Also European regulations are often perceived as complicated.

It is also seen that some - for various reasons - want to maintain a complicated approach to the CSM-RA. One

real-life example that has been observed recently is at one on-going modestly sized project where a consultant

has spent a disproportional amount of time on the work as an Independent Assessment Body (IAB).

There is a fear that applying the CSM-RA triggers a lot of additional work, it is seen as something that is of little

additional value to oneself, but rather something that has to be done for the inspectorate as part of a notification

or request for approval to take infrastructure into service. This perception is untrue because nearly all elements

from the CSM-RA are ordinary steps in a project. Only the significance assessment and the eventual work of the

IAB are exceptions to this statement.

The aim of the implementation of the CSM-RA in Jernbaneverket was contrary to these popular beliefs.

Jernbaneverket’s aim was to benefit from the regulation by making the best out of the smart elements in the

process described in the CSM-RA by adopting a pragmatic and practical approach and especially by organizing

all elements internally. Also some attention was given to ‘demystify’ the regulation’s aim and contents. This

means that primarily the stakeholder was to define the standard of how the CSM-RA was to be implemented on

Norwegian rail infrastructure, instead of leaving the definition of the standard to consultants as has happened on

many other occasions before.

As discussed above many elements/requirements were already implemented in Jernbaneverket’s Safety

Management System. The result was that the principles of the CSM-RA with regard to risk assessment and

hazard management had been implemented such that it applied in a flexible way to any change, regardless size

or significance. When the CSM-RA was introduced in Norwegian regulations in 2010 (with full application from

2012 on), further implementation of the CSM-RA required mainly the formalization of a method for the

Independent Assessment Body within Jernbaneverket.


Because most elements already were implemented in the Safety Management System it was briefly considered to

apply the CSM-RA for every project. After all there was only a minimal gap between the daily practice and the

requirements in the regulation. For instance the peer review regime for risk assessments could be considered

being an “IAB light”

Eventually it was decided not to apply CSM-RA for every project in order to not put an additional administrative

burden (specifically of writing a formal Safety Assessment Report by the IAB) on all projects, including the many

small projects where a formal Safety Assessment Report would have little added value, not more than a peer-

reviewed risk assessment.

In a way, however, the implementation of the CSM-RA in Jernbaneverket’s Safety Management System has led

to a flexible application for any project/change instead of only being a tool only for “significant” changes. The

pragmatic and practical oriented approach clarifies the added value (in contrast to perceived administrative

burden) which leads to greater ownership of the process and increased use of the process.

Part of Jernbaneverket’s flexible implementation process was that instead of starting with a complete package the

missing tools (e.g. how to write the report) were developed as the implementation went along in a kind of trial and

error/tinkering process. For example, it was chosen to work with temporary status reports that were discussed

during regular meetings between the IAB and representatives from the projects. Based on feedback and

experiences the template for the report was altered and adapted to have mutual benefit from the document so

that it allowed for documenting the IAB’s verdict about the Risk Management process as well as tracking actions

and the work done by the IAB.

Benchmark

To support the implementation within Jernbaneverket an international benchmark was conducted among other

railway companies to get an impression of best practices of the implementation of the CSM-RA.

In late 2013 a questionnaire was sent out by Jernbaneverket among members of the International Rail Safety

Network (ISRN, a sub-group of the UIC Safety Platform). Out of ca. 15 European IRSN members, 9

(infrastructure managers or railway undertaking, or both) replied to the questionnaire. All have experience with the

regulation.

Conclusions from the benchmark (details cannot be given for reasons of confidentiality):

All respondents had implemented the CSM-RA as part of their safety management system.

As basis for the significance assessment all respondents used the six criteria from the regulation, some

had defined additional criteria.

«Lower» limits for the significance assessment have not been mentioned. Most appear to apply the

assessment regardless the «size» of the change, some even express this explicitly.

Most respondents used both internal and external assessment bodies, one respondent outsourced

everything and another uses only internal assessment bodies.

Those who had established internal assessment bodies had widely different organizations of the IAB,

some relying on an ad-hoc organization while others had more, or fully structured organizations.

The process for participation of the IAB in projects also varied widely. Respondents who outsourced all or

most of the IAB’s work came rather late into processes (typically shortly before the end of a project) while

those with a preference for internal assessment bodies also prefer involvement in projects as early as

possible.

There is no unified form of the Safety Assessment Report, although most members referred to the

regulation for specifications of the contents.


This benchmark among railway undertakings and infrastructure managers in various countries shows that the

CSM-RA has been implemented quite differently in various countries and companies.

Internal organization of the IAB in Jernbaneverket

It was chosen to establish an internal pool of qualified experts from various backgrounds and departments who

could take on the role of IAB for projects which required so instead of outsourcing this function. Advantages and

background for the way chosen include the desire to retain knowledge within the organization, to improve

experience transfer (both between projects and between IAB) and contribute to organizational learning.

A Steering Group was established in late 2012 to manage the implementation and improvement of the IAB

function within the company. This Steering Group was chaired by the Safety Manager from the Central Safety

Department with participation of senior safety professionals from all divisions. This broad involvement helped to

ensure independence of the IABs (offering the opportunity to cross-use IABs from one division for projects of

another division) and secured involvement across the entire company.

To man the internal IAB function a pool of qualified assessors was established in spring 2013. Whether internal

advisors were qualified to take part in this pool was to be decided by members of the Steering Group, based on

competence («senior» safety/quality/RAMS personnel and qualified for the peer review for risk assessment) and

independence from the project.

It was chosen not to establish a full-time IAB department, but to draw on professionals who as part of their

ordinary job (e.g. as Safety Advisor) could be appointed as IAB for certain projects. Expected advantages of this

approach were that professionals with fresh hands-on experience in doing risk assessments and other elements

of risk management could use their knowledge while doing an independent assessment of another project, and at

the same time gain experiences that could improve their ordinary job. Independence from projects was not

guaranteed by having IABs in an absolutely independent department, but rather by relying on relative

independence (e.g. a safety professional from the Traffic division acting as IAB at a Construction project).

Projects applied for support by and IAB at the Steering Group and the IABs were then assigned to projects by the

Steering Group. At first the IAB pool started with a limited number of personnel, as more demand for this support

arose, the pool was enlarged and new members in the pool teamed up with more experienced IABs.

So far around 15 large projects, including the implementation of ERTMS on a track in the greater Oslo area, the

Follobanen (a project that will establish 19 km of double track tunnel between Ski and Oslo) and Holm-Nykirke (a

project on the west side of the Oslofjord that will deliver 14 km of double track with an in-tunnel station).

Initially Jernbaneverket hired some experienced and highly qualified consultants for one or two projects and

involved them in the feedback meetings for IAB’s in order to get outside-input in building methods, processes and

tools.

The process of the IAB can be described with the flowchart below: after a project has signalled its need for an IAB

and these are appointed the work starts with a Kick-off meeting where IAB and the project clarify working

methods, expectations, schedule and milestones. Subjects to discuss in the kick-off meeting are a.o. the scope of

the project (and thus the IAB’s work) and its organization, the process for the IAB, points of contact and the

(access) to documentation. After an initial review of relevant documentation the IAB will come with a plan of the

independent assessment which includes a number of meetings and further documents to review or people to

interview. In the course of time the activities from the assessment plan will be executed and documented by the

IAB in a temporary Assessment Report. This contains an overview of meetings and subjects discussed, as well

as a log of findings/observations and how the project decides to follow-up on these. This will see several

iterations. A final Assessment Report is delivered by the IAB after the project is finished.


This final point is significant. Many projects don’t realise that the IAB’s tasks continues until after the handover of

a project to operations because not all hazards can be managed in the project; some hazards are transferred to

the operations phase.

Figure 2: Flowchart describing the process for the IAB within Jernbaneverket

APPROACH AND EXPERIENCES

After almost a year of working with the IAB internally organized within Jernbaneverket, serving approximately 15

major infrastructure projects, and ample experience with other elements of the CSM-RA we now can share

experiences and challenges that Jernbaneverket has come across and provide practical approaches for the

application of the CSM-RA.

In retrospect one can conclude that the implementation of the CSM-RA in Jernbaneverket’s Safety Management

System went relatively easy. This was in part thanks to the ‘head start’ as described before: having the

opportunity to implement gradually helps. Another factor that contributed to the implementation was the flexible

process that was applied. Some elements, like the significance assessment, were first applied in practice, and

then incorporated into the Safety Management System. This approach secured that the Management System

describes the best practice that is followed instead of a theoretical approach that is hard to use in practice.

Significance assessment

Implementation of the Significance Assessment happened in two different forms within Jernbaneverket, and this

was one of the elements of the CSM-RA that was first used in practice and only afterwards incorporated into the

Safety Management System. Reason for this was that the Significance Assessment has been coupled to the

notification of infrastructure changes to the NSA/SJT.

Delivery of documentation

from project

Projectplan/System definition/etc.

Kick-off meeting Assessment planActivities according to assessment plan

Assessment report

Assessment reportRAMS-plan/Safetyplan

Define scope, boundaries and presumptions

Review activities connected to safety

in the projecty

Minutes of meeting Assessment plan

Review hazard log/-register

Review risk assessments and

follow-up

Review safety organisation in

project

Temporary Assessment report

Log of observations and follow-up

Review other documentation

Status and info meetings

Status report or Minutes of meeting

Discuss findings and observations done

during the assessment

Clarify questions and further

activities

Temporary Assessment report

Review steering and management of

safety in the project


The first form was a detailed template where each sub-system of the infrastructure was assessed separately on

the six criteria as specified in the CSM-RA after which a general conclusion was drawn. The second form was the

one practiced for smaller projects where the six criteria for significance from the CSM-RA were discussed as part

of the notification that was sent to the NSA.

While none of the two forms is necessarily better than the other, we have seen instances where the Significance

Assessment has led to a disproportional use of time, while it should have been an easy obvious decision due to

the project’s nature, and even more because the signalling system was a part of the TSI-CCS5 which requires use

of the CSM-RA.

Another problem that has been observed is that sub-projects, or newly added parts to a project, were subject to

an additional (unnecessary) Significance Assessment while the project as a whole already has been assessed of

having to follow the CSM-RA.

Experience also teaches that good guidance on the criteria for significance is needed. For example:

what does “failure consequence” mean (e.g. only consequences related to the actual change should be

included),

how to handle “reversibility” (blowing up part of a mountain to build a track indeed is not reversible, but

not the issue here),

complexity and a combination of various disciplines in one project is not necessarily the same.

The Significance Assessment in itself should be a relative simple process which can be done in a structured way

with minimum effort.

Process of risk assessment

As described before Jernbaneverket’s Safety Management System already followed largely the process that is

described in the CSM-RA. Over a period of about seven years several elements have turned out to be beneficial

for projects and safety management:

instead of an “one-size-fits-all” approach that may be too bureaucratic for smaller projects, adjustment of

the risk assessment to the complexity of the change or project makes it fit for purpose and useful,

the approach can be used for technical, organizational or operational changes without any problems,

the peer review regime has led secured quality of risk assessments and over the course of years also to

a higher level of risk assessments in general,

the creation of a centralized digital risk assessment archive facilitates sharing of information, experience

transfer and re-use of previously done work in similar cases,

the creation of a digital tool, called strekningsanalyse, that connects various databases, among which a

risk model, the asset management database, the train plan, the risk assessment archive and the incident

reporting and handling system. This allows for even greater access of good data which enables

management and safety professionals to perform their tasks more efficiently and have better control.

5 Technical specification for interoperability relating to the control-command and signalling subsystems of the trans-

European rail system.


Figure 3: Screenshot of the Strekningsanalyse tool

As said before, the Safety Assessment Report is perceived by some as something that is done for the NSA (since

it shall be sent to the NSA as part of the application for permission to take infrastructure into use), but the report is

actually meant for the benefit of the project to strengthen and document the project’s risk management. This view

is clearly shared by the NSA/SJT.

Use of Risk Acceptance Principles

The risk management process includes three alternative principles:

Code of Practice (CoP): the acceptability is proven by the establishment of the code.

Similar reference system: acceptability based on “proven in use”.

Explicit risk estimation - how to document.

The alternative principles are applied to each identified hazard (not the whole system). For most systems, a

combination of the three will be applicable. Most changes will consist entirely of standard elements (CoP or

Reference system). But at the same time, all changes will require some explicit risk estimation, since the use of a

combination and interaction of standard elements will (almost) always involve interfaces, operation, external

factors, that are unique and sometimes novel.

As mentioned earlier, there seems to be an excessive focus on quantitative risk estimation and risk acceptance

rather than qualitative. It may be in the interest of certain disciplines to keep the methodology complex in this way

and hence suitable for outsourcing. It may also be an understanding of qualitative assessments as more neutral,

more binding, more transferable and less subject to manipulation. We would argue that the opposite is more

likely.

Even if a quantitative approach resembles a mathematical proof, it hides a number of necessary assumptions,

limitations and simplifications. Whereas a qualitative approach that focuses on hazards, scenarios and practical

barriers and other risk reducing measures is more transparent and less subject to difference in opinion. This


approach also allows for a better understanding among non-specialists in risk assessment, e.g. the actual

decision maker. Not only will this lead to informed decisions; a better understanding and involvement among

other professions will ensure a more qualified vigilance, maintenance etc. by various staff.

A qualitative estimation is also better for identifying non-technical risk such as interfaces and operations. As more

risk is controlled by technical measures, this will be an increasing share of the risk. The CSM-RA applies also to

operational and organizational changes. For these, a qualitative approach seems to be the only one feasible.

Risk acceptance criteria has traditionally been misunderstood as something quantitative - the different risk

acceptance principles as mentioned in the CSM-RA has added greatly to the understanding that risk acceptance

criteria also can be qualitative, for example ‘standard system’ or qualitative estimation to evaluate acceptable risk.

Hazard management

Hazard Management has been the most challenging element of CSM – or any process of risk management - and

the topic of which the organization have the most to gain. As of now hazard management is constrained by the

lack of a customized (digital) tool. Identified hazards are followed up through various types of hazard logs and -

registers, many using excel files which have several limitations. An obvious disadvantage is that it is difficult to get

an overview of the various hazards across projects and throughout the project lifecycle. The aims of implementing

hazard management into the Strekningsanalyse tool are to:

enable easier and more dynamic transfer of hazards and follow-up between the various project phases

and operations,

enable comparisons of effects of safety measures across different projects,

provide track managers with the overview of measures and preconditions related to the infrastructure

they are responsible for,

provide better traceability.

CSM requires all hazards to be included in the hazard log. This has proven to give large, unmanageable lists

where the key hazards disappear among the vast amount of hazards.

The Strekningsanalyse risk tool combines various safety related information linked to a location. This includes

Technical barriers, estimated risk, incident and accidents (statistics and individually described). In the future it will

also include safety requirements and preconditions put down in risk assessments. This will allow for a

manageable Hazard management in a life cycle perspective, accumulated for the whole network.


Figure 4: Sample from Strekningsanalyse showing a level crossing with details on technical protection, risk,

incidents and accidents, etc.

One clear benefit of the application of the CSM-RA and activities of an IAB in a project is that it strengthens the

follow-up of preconditions and eventual changes to the project. A well-applied IAB can therefore be an important

element in the management of change, even though the role of IAB never was meant to be that in the first place.

Organizational learning

One main reason for the chosen path for implementation was to have a maximum potential for organizational

learning, something which could only be done through the use of internal personnel taking the role of the

Independent assessment body (IAB). By outsourcing the task of the IAB a lower ownership of the process was to

be expected and also the knowledge and experience transfer would for the greater part happen outside of the

organisation.

There have been regular feedback meetings (roughly every other month) for both the steering group and the

professionals that participated in the IAB pool. In these meetings the status for each project was reviewed, issues

that had risen during the work with the projects or the documentation were discussed, new developments were

reviewed and several meetings concentrated on the in-depth study of one case in order to find out best practices.

For these feedback meetings also external IABs were invited.

Also the way the Safety Assessment Report was designed was to benefit of continuous improvement and

organizational learning as described above.

Besides the organizational learning within the pool of safety professionals involved in the CSM-RA (and especially

the IAB) there was also organizational learning for the projects. The internal IAB had the possibility to

communicate what worked and what didn’t, thus facilitating experience transfer from one project to another.


Finally having an internal IAB function within the company enables direct feedback about safety management

system procedures and routines from projects to Safety and Quality professionals in central positions. This has

for example led to revision of some Safety Management System documents/templates, an internal discussion

about quantitative analyses and clarifications about how to handle external assessment reports by the project.

Independence and the role of IAB

Since Jernbaneverket chose to primarily use internal Safety and Quality advisors in the role of IAB, one issue that

arose was how to deal with having various roles at the same time. Because the people acting as IAB are highly

competent and knowledgeable internal Safety and Quality advisors it was very tempting to get into an

advising/guiding role during the process. For example when there were questions about how to apply risk

assessment methods or how to handle the hazard log. There is a thin line between advising and losing one’s

independence.

The mentioned advising role does, of course, have benefits and especially when it’s early in a project it can be

relatively unproblematic to “switch hats” during a meeting, from IAB to Safety advisor and back. This facilitates

that one project learns from the others which in the end will help to have a safer and more efficient way of

working.

The IAB and NoBo

One issue that had to be cleared early on in the implementation of a routine for IAB within Jernbaneverket was

the involvement of a Notified Body (NoBo). In article 7 (3) in regulation 352/2009 it says that:

“In the case referred to in point (b) of Article 5(1), the independent assessment shall be part of the task of the

notified body, unless otherwise prescribed by the TSI.”

It was our concern that the TSI would overrule our choice of how to perform the task of IAB. We assumed that the

intention of the article was to avoid unnecessary cost and formalities with two external organs in a project.

Another point of concern was that this opened for one IAB for sub-systems where this is prescribed by a TSI and

one or more IABs for other sub-systems. In our view this would conflict with the basic philosophy that the IAB

shall ensure that the whole of the safety management in a project is covered, not just a collection of parts.

Jernbaneverket felt that the use of an internal IAB that is independent of the project gave a better opportunity for

learning and improvement between projects as well as it provides a better total view than if this was outsourced to

a couple of different consultants, or NoBos. For this reason the question about the demarcation line between the

tasks of NoBo and IAB was checked with both the ERA and the NSA.

The NSA acknowledged the added value of an internal IAB. The NSA was of the opinion that the regulation

clearly stipulates that the independent assessment in cases where the application of the CSM-RA was made

mandatory through a TSI the role of IAB shall be part of the tasks of the NoBo. In that respect Jernbaneverket’s

concern that article 7(3) would overrule its choice of IAB was real and something that Jernbaneverket had to

accept and manage.

However, the NSA was of the opinion that even if the independent assessment was part of the task of the NoBo,

it would still be possible to arrange this such that the task could be performed by Jernbaneverket’s internal IAB. A

NoBo has the possibility to outsource part of his tasks to others and this gives Jernbaneverket the opportunity to

contractual oblige NoBos that the independent assessment will be done by Jernbaneverket’s internal IAB whose

report is then cross accepted by the NoBo.

This explanation of the regulation was supported by the answer from ERA.

CONCLUSION


This paper started with the question: “CSM-RA, What’s in it for us”. Looking back on experiences from and after

the implementation one can conclude that if applied in a reasonable way the process described in the CSM-RA

may give better organisational learning, more transparent and risk based decisions and – yet to be proven – the

expected added value of a safety management that goes beyond the decision point and truly ensures lifecycle

safety.

Common Safety Method or Best Practice - A Practical ... · CSM-RA were voluntary until 1 July 2012...

Documents

Transcript of Common Safety Method or Best Practice - A Practical ... · CSM-RA were voluntary until 1 July 2012...